该内核漏洞被用于太极越狱v2.0,并于iOS 8.4.1版本中被修补。Apple的安全公告中给出的漏洞编号为CVE-2015-5774,但并未提及漏洞的细节。


typedef enum {
    kIOHIDResourceUserClientResponseIndexResult = 0,
} IOHIDResourceUserClientResponseIndex;

    {   // kIOHIDResourceDeviceUserClientMethodPostReportResult
        (IOExternalMethodAction) &IOHIDResourceDeviceUserClient::_postReportResult,
        kIOHIDResourceUserClientResponseIndexCount, -1, /* 1 scalar input: the result, 1 struct input : the buffer */
        0, 0


Black Hat & XCon

盘古团队于上周8月6日在拉斯维加斯举办的Black Hat USA 2015会议上分享了”Review and Exploit Neglected Attack Surfaces in iOS 8″的议题。该议题分析了iOS系统中一些不被注意的攻击面,针对内核层讨论了IOKit Fuzz的改进,针对用户层则重点介绍了XPC Fuzz。
错过该议题的同学也可以在下周举办的XCon 2015上听到该议题的分享。

Black Hat Slide下载






  <meta http-equiv="x-ua-compatible" content="IE=5" />
   function fuzz0(){
   function entry(){
 <body id=e_0 onload=entry() onactivate=fuzz0()>
  <table id=e_1>
   <big id=e_2>

挂上调试器打开此页面,崩溃地址和寄存器的数值非常不稳定,但在打开page heap后,崩溃点很明显的指向一个固定地址。以WinXP SP3全补丁虚拟机为例,崩溃时log如下:


Let the Truth Speak for Itself

After the release of our blogpost, it is very funny to see Mr. Stefan continues to post unwarranted and spiteful conjectures on Twitter and his blogpost. We suggest the reader refer to our blogpost as well as his blogpost to understand the backgroud.

Among his numerous discriminations and accusations against us (such as calling us thieves and criminals), the main one is that he claims that we have been trying to buy/acquire vulnerabilities to achieve jailbreaks. The “horribly” strong evidence is a piece of chat history between him and @windknown, a member of our team. Although we think it is immoral to post private messages to the public, we do not mind showing the full chat history, and let the truth speak for itself.


IOHIDSecurePromptClient::injectStringGated Heap Overflow


update – 漏洞发现者博客



IOExternalMethod *
IOHIDSecurePromptClient::getTargetAndMethodForIndex(IOService ** targetP, 
                                                    UInt32 index)
        // 12: kIOHIDSecurePromptClient_injectString
        { NULL, (IOMethod)&IOHIDSecurePromptClient::injectStringMethod, kIOUCStructIStructO, kIOUCVariableStructureSize, 0 },       

injectStringMethod -> injectStringGated 函数中将输入的参数拷贝到缓冲区时没有对长度做任何检查,从而会导致堆溢出:

IOHIDSecurePromptClient::injectStringGated(void * p1, void * p2, void * p3 __unused,void * p4 __unused)
    IOReturn result = kIOReturnBadArgument;
    IOHIDSecurePromptClient_RawKeystrokeData * dummyRawData = NULL;
    UTF32Char *string = (UTF32Char*)p1;
    intptr_t length = (intptr_t)p2 / sizeof(UTF32Char);
    vm_size_t dummyDataSize = length * sizeof(IOHIDSecurePromptClient_RawKeystrokeData);


    dummyRawData = (IOHIDSecurePromptClient_RawKeystrokeData*)IOMalloc(dummyDataSize);
    memset(dummyRawData, 0xff, dummyDataSize);

    // _reserved->rawKeystrokes是在IOServiceOpen的时候分配的堆内存,在这里拷贝的时候没有检查输入的length
    __InsertBytes(_reserved->rawKeystrokes, _reserved->insertionPoint, _reserved->stringLength, string, length,  sizeof(UTF32Char));
    __InsertBytes(_reserved->unicode, _reserved->insertionPoint, _reserved->stringLength, dummyRawData, length,  sizeof(UTF32Char));
    __EraseMemory(string, length * sizeof(UTF32Char));
    _reserved->insertionPoint += length;
    result = kIOReturnSuccess;



Jailbreak Should not Tolerate Regional Discrimination

Since the first release of our untethered jailbreak tool Pangu 7 in June 2014, there have been many ridiculous rumors, discriminations, and vilifications on our team, especially from Stefan Esser (‏@i0n1c). As a team of “nerds”, we did not want to waste time on responding such useless things and hoped that eventually these things would stop after a while. We put 100% efforts on developing new jailbreaks for iOS 8 and successfully released Pangu 8 roughly a month after iOS 8 was released.

We could ignore the increasingly unfunny and ridiculous comments on our team, but cannot bear the racist comments from Stefan Esser in his recent talk at Syscan, which deliberately separate the jailbreak community with “Chinese” and “Western” labels and are full of morbid imaginations. In fact, many well-known iOS “Western” hackers including comex and P0sixninja are visiting Beijing, China today for a mobile security summit.

Apparently, the Pangu team cannot represent all Chinese jailbreak developers. We hereby just want to clarify the rumors, discriminations, and vilifications on our team.

The financial sponsorship of the Pangu team is mainly used to cover the cost of developing jailbreak tools

The “1 million USD” rumor was first posted when evasi0n 7 was released.

For us, our sponsorship is mainly used to support the development of jailbreak tools, cover the cost of software testing, and facility the download servers, etc. Note that, to make our untethered jailbreak tool reliable, we need to test all hardware models from iPhone 4s to iPhone 6 Plus, from iPad 2 to iPad Air, all iOS versions from 7.1 to 8.1. The sponsorship is also used to purchase all kinds of iOS devices for the testing purpose. But anyway, we are also wondering where the “1 million USD” is, LOL.

The Pangu team does not buy vulnerabilities, never and ever



CVE-2014-4461 – IOSharedDataQueue映射内存漏洞


IOSharedDataQueue类用于队列数据的管理,并且能够被映射到用户态下共享。由于返回的映射内存的大小设置问题,导致除了Data数据外还映射了notify msg的内存区域,从而可以在用户态下读取/改写msg内port的指针。


Boolean IOSharedDataQueue::initWithCapacity(UInt32 size)


    if (allocSize < size) {
        return false;

    // 分配足够大小的内存给dataQueue
    dataQueue = (IODataQueueMemory *)IOMallocAligned(allocSize, PAGE_SIZE);
    if (dataQueue == 0) {
        return false;


    // notifyMsg成员被放在dataQueue的尾部
    appendix            = (IODataQueueAppendix *)((UInt8 *)dataQueue + size + DATA_QUEUE_MEMORY_HEADER_SIZE);
    appendix->version   = 0;
    notifyMsg           = &(appendix->msgh);

    return true;



CVE-2014-4487 – IOHIDLibUserClient堆溢出漏洞



    { //    kIOHIDLibUserClientGetElements
    (IOExternalMethodAction) &IOHIDLibUserClient::_getElements,
    1, 0,
    0, kIOUCVariableStructureSize


IOReturn IOHIDLibUserClient::_getElements(IOHIDLibUserClient * target, void * reference __unused, IOExternalMethodArguments * arguments)
    if ( arguments->structureOutputDescriptor )
        return target->getElements((uint32_t)arguments->scalarInput[0], arguments->structureOutputDescriptor, &(arguments->structureOutputDescriptorSize));
        return target->getElements((uint32_t)arguments->scalarInput[0], arguments->structureOutput, &(arguments->structureOutputSize));

IOReturn IOHIDLibUserClient::getElements (uint32_t elementType, void *elementBuffer, uint32_t *elementBufferSize)
        elementLength = mem->getLength();
        if ( elementLength )
            // 根据用户指定的大小来分配内存
            elementData = IOMalloc( elementLength );

            if ( elementData )
                bzero(elementData, elementLength);

                // 向分配的堆中填充数据,elementLength更新为实际填充的数据长度
                ret = getElements(elementType, elementData, &elementLength);

                if ( elementBufferSize )
                    *elementBufferSize = elementLength;

                mem->writeBytes( 0, elementData, elementLength );

                // 释放刚分配的堆
                IOFree( elementData, elementLength );


CanSecWest Speech

盘古团队于3月19日在温哥华举办的CanSecWest会议上分享了“Userland Exploits of Pangu 8”的议题,详细介绍了Pangu8越狱在用户态下使用的一些exploits细节以及如何突破iOS8中一些新的安全机制。

PDF下载: CanSecWest2015_Final